Cyber crime is a systemic risk and could be the next black swan event, the head of Australia’s corporate regulator says, as senior business executives warned that companies were not sufficiently prepared for such dangers.

Advancements in technology had led to a “significant growth" of cyber crime and had an estimated global cost of $110 billion a year, the chairman of the Australian Securities and Investments Commission,
Greg Medcraft,
said on Monday.

Mr Medcraft, who was opening the regulator’s annual conference in Sydney, said each cyber attack was ­estimated to cost an Australian firm about $2 million.

He added that a cyber attack could spread quickly and have a “very dangerous effect" on the financial system.

“We are all connected now, if you have access to the internet, so the potential for systemically attacking systems, if you think about it, is enormous. The issue with cyber crime is what you don’t know you don’t know, because it is constantly evolving.

“You may never avoid it, but it is about being resilient."

The ASIC chairman said that at a recent IOSCO (International Organisation of Securities Commissions) meeting, the actions of organisations such as the Syrian Electronic Army were raised as one example.

“It’s basically cyber terrorism, and frankly that is actually extremely scary given that we are becoming more and more connected," he said.

Related Quotes

Company Profile

The forum came a month after the Obama administration in the US unveiled its Cybersecurity Framework, a 39-page report on a plan for infor­mation sharing between the federal government and public and private critical infrastructure providers.

Mr Medcraft said ASIC would draw from some of the ideas raised in Mr Obama’s proposal, and work with regulators around the world to establish international standards on risk management systems.

Finance a risk

Earlier this month, a report by accountancy firm PwC found that financial services companies were more at risk from cyber crimes compared with their counterparts in other industries. About 39 per cent of financial services firms surveyed by PwC said they were victims of cyber crimes, in contrast to 17 per cent for other companies.

The survey’s authors said they believed the impact of cyber crime was even greater than what was officially reported.

“It is widely recognised that the financial services sector is very much at the forefront of fighting cyber crime," they wrote.

“However, our survey results suggest that complacency still exists heavily within financial services organisations. There is a sense that financial services organisations still fail to see the importance of establishing fundamental [information technology] security objectives and linking those with business objectives and risks."

The report’s comments were echoed by senior executives at the ASIC forum, who said tackling cyber crime had to start at the board level.

“Cyber resilience should be incorporated in the whole risk framework of the organisation,"
Gail Pemberton
, a director on several boards including PayPal Australia, said.

“Boards need to ask: ‘What is our vulnerability, what is our strategy, what are we investing?’ And they should be asking management to focus on that."

Hackers used malware

In January, hackers used malware to infect US retailer Target’s point-of-sale systems and steal credit and debit card information of more than 110 million of its customers. American luxury retailer Neiman Marcus was hit by a similar attack.

cyber security firms said the scale and sophistication of the attack was new, and would be difficult to detect and trace.

Tim Phillipps
, a global managing partner for Deloitte Analytics and a former ASIC investigator, said the Target case showcased a company that was well-known for its ability to analyse its customer base, but not particularly strong in its data security.

“You’ve got to say to yourself – there’s something fundamentally wrong with the overall thinking of the executives on the board about what they are paying attention to," Mr Phillipps said.

Despite the rapid changes in technology and the difficulties in protecting against such crimes, there was evidence that a few syndicates were responsible for a large number of the attacks. Australian Federal Police’s national manager for high-tech crime operations,
Tim Morris
, said.

As such, pursuing such criminal organisations could greatly reduce the number of attacks, he said.

“There was very well-known developer in Russia who was recently taken out of the scene. Overnight, globally there was 40 per cent less malware deployed in attacking financial institutions," Mr Morris said.